Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IF Statement customized EVAL

jerinvarghese
Communicator
‎01-25-2021 02:21 AM

Hi All,

need help in my query, formatting an IF statement.

My Code: 

 

 

 

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| table  sitecode, nodelabel, Status,Time

 

 

 

 

My Output: 

sitecodenodelabelStatusTime
ABMARABMLANCCO1Up1/23/2021 14:35
ABMARABMLANCUA1Up1/23/2021 8:26
ABMARABMLANCUA2Up1/23/2021 8:25
ABMARABMWANRTC1Up1/23/2021 8:25
ABMARABMLANCUA3Up1/23/2021 8:25
ABMARABMLANCUA4Up1/23/2021 8:25
ABMARABMAPNOPT1Up1/19/2021 13:37
ZBQBRZBQLANCUA1Up1/19/2021 13:37

 

Above table am getting from my code.

Requirement : 

I want to list down all devices from that sitecode which have any of these name ("*WANRTC*" OR "*LANCCO*" OR "*WLNWLC*"OR "*APNINT*") these keyword in nodelabel. rest all site code should be removed from the list.

 

In my output. Am having ABM site which matches any of that Keyword and that to be displayed, where as ZBQ doesnt have any of that keyword devices in the list, so it should be removed.

like and IF ("*WANRTC*" OR "*LANCCO*" OR "*WLNWLC*"OR "*APNINT*")  any of this present in device names, then the complete list to be displayed. 

 

Labels (6)
Labels
0 Karma
Reply

jerinvarghese
Communicator
‎01-25-2021 03:03 AM

This is filtering only devices which have "WANRTC|LANCCO|WLNWLC|APNINT". rest all devices from that site removed. I want other devices also from that site including the above one.

0 Karma
Reply

renjith_nair
Legend
‎01-25-2021 04:37 AM

alright,

Try

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| table  sitecode, nodelabel, Status,Time
| eventstats values(eval(if(match(nodelabel,"WANRTC|LANCCO|WLNWLC|APNINT"),1,null()))) as isPresent by app
| where isPresent == 1

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

renjith_nair
Legend
‎01-25-2021 02:41 AM

Does this help?

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| table  sitecode, nodelabel, Status,Time
| where match(nodelabel,"WANRTC|LANCCO|WLNWLC|APNINT")

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...